CVE-2021-23240 – CVE-2021-23240 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2021-23240?

CVE-2021-23240 has a CVSS score of 7.8 (HIGH). CVE-2021-23240 is a privilege escalation vulnerability in Sudo's SELinux RBAC support that allows local unprivileged users to gain file ownership and escalate privileges by exploiting a symlink race condition in temporary file handling. Only systems with SELinux in permissive mode are affected; machines without SELinux or with SELinux in enforcing mode are not vulnerable.

📋 TL;DR

CVE-2021-23240 is a privilege escalation vulnerability in Sudo's SELinux RBAC support that allows local unprivileged users to gain file ownership and escalate privileges by exploiting a symlink race condition in temporary file handling. Only systems with SELinux in permissive mode are affected; machines without SELinux or with SELinux in enforcing mode are not vulnerable.

💻 Affected Systems

Products:

Sudo

Versions: All versions before 1.9.5

Operating Systems: Linux distributions with SELinux support (RHEL, Fedora, CentOS, etc.)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SELinux is enabled and in permissive mode. Systems without SELinux or with SELinux in enforcing mode are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local unprivileged user gains root privileges and full system control

🟠

Likely Case

Local user escalates privileges to gain unauthorized file access and execute arbitrary commands

🟢

If Mitigated

No impact if SELinux is disabled or in enforcing mode, or if Sudo is patched

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local user access

🏢 Internal Only: HIGH - Any local user account can potentially exploit this to gain root access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access and SELinux in permissive mode. The vulnerability is in the sudoedit command's temporary file handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Sudo 1.9.5 and later

Vendor Advisory: https://www.sudo.ws/security/advisories/sudoedit_selinux/

Restart Required: No

Instructions:

1. Update Sudo to version 1.9.5 or later using your distribution's package manager. 2. For RHEL/CentOS: 'sudo yum update sudo'. 3. For Ubuntu/Debian: 'sudo apt update && sudo apt upgrade sudo'. 4. Verify the update with 'sudo --version'.

🔧 Temporary Workarounds

Set SELinux to enforcing mode

linux

Change SELinux from permissive to enforcing mode to prevent exploitation

sudo setenforce 1
Edit /etc/selinux/config to set SELINUX=enforcing

Disable SELinux temporarily

linux

Completely disable SELinux (not recommended for production)

sudo setenforce 0
Edit /etc/selinux/config to set SELINUX=disabled

🧯 If You Can't Patch

Set SELinux to enforcing mode instead of permissive mode
Restrict sudoedit usage through sudoers configuration

🔍 How to Verify

Check if Vulnerable:

Check if SELinux is in permissive mode with 'getenforce' and check Sudo version with 'sudo --version | head -1'

Check Version:

sudo --version | head -1

Verify Fix Applied:

Verify Sudo version is 1.9.5 or later with 'sudo --version | head -1'

📡 Detection & Monitoring

Log Indicators:

Failed privilege escalation attempts in sudo logs
Unusual sudoedit usage patterns
SELinux permission denials followed by successful operations

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

source="sudo" AND (event="COMMAND" OR event="FAILED") AND command="*sudoedit*"

📊 Metadata

CVE ID: CVE-2021-23240

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: January 12, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23240 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE42Y35SMJOLONAIBNYNFC7J44UUZ2Y6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMY4VSSBIND7VAYSN6T7XIWJRWG4GBB3/
https://security.gentoo.org/glsa/202101-33 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210129-0010/ Third Party Advisory
https://www.sudo.ws/stable.html#1.9.5 Release Notes,Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23240 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE42Y35SMJOLONAIBNYNFC7J44UUZ2Y6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMY4VSSBIND7VAYSN6T7XIWJRWG4GBB3/
https://security.gentoo.org/glsa/202101-33 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210129-0010/ Third Party Advisory
https://www.sudo.ws/stable.html#1.9.5 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23240, you might also want to check these: